Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe
-
Size
454KB
-
MD5
c91ca7a7775240001c0561985e00f02f
-
SHA1
c2960e0fbe92f88afaf9530544d70c1747d56f8b
-
SHA256
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777
-
SHA512
52f0328b29ab476a3a866e11b727befda9756455f43c14ec0da53ecc2f90a92a1912338cf487df5fc7bfd196cacc9a5c0a5e4c93535bfad1b19e328f89adfcb1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3836-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-1045-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-1199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-1405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-1569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-1685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4816 3jppp.exe 744 jdvvj.exe 1356 bbhhhn.exe 4104 btnnnn.exe 1996 frflfff.exe 4544 pppjj.exe 4180 hhtnnh.exe 2028 rrfrlfx.exe 4680 xrrxxrr.exe 4840 tnhbbh.exe 1872 dpvvp.exe 348 9nhhtt.exe 2068 vdppp.exe 3420 fffxrrl.exe 3904 nbntnn.exe 2944 7vjdp.exe 2584 xrfxfxf.exe 3528 frlfrrl.exe 2904 tnhbhh.exe 5012 dvpdv.exe 2504 ttbbnt.exe 112 pjpjd.exe 768 llflxxl.exe 1580 nhnnnt.exe 2460 jpjjv.exe 2020 ffffrff.exe 1784 nhnttn.exe 3012 jvjjd.exe 5068 hnnnbh.exe 4224 jpppj.exe 2600 lrlffff.exe 5064 ddjjj.exe 3264 bnthbh.exe 3132 dpddv.exe 4624 3lxxllr.exe 616 pjjdd.exe 1532 bbtnbn.exe 2616 llrlfxx.exe 3552 xxfffll.exe 2456 9jddp.exe 1340 ddppp.exe 2960 flfrflx.exe 4268 7nhhbh.exe 4708 vjdjj.exe 2304 fxlffll.exe 2396 lxlllll.exe 3924 hhnbbb.exe 1468 jjppp.exe 4772 vpjpj.exe 1404 ffffffl.exe 2604 hhnnnt.exe 4532 nhbbbb.exe 2408 9dppd.exe 1224 flllxff.exe 3608 7bhhhn.exe 1452 ppdvp.exe 2316 xrfxxll.exe 1356 nnnnbb.exe 1440 djdjd.exe 1424 llllfll.exe 1996 frffxff.exe 376 bthntt.exe 2052 jvvjd.exe 4616 llrxxlr.exe -
resource yara_rule behavioral2/memory/3836-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-938-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-1032-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-1045-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3836 wrote to memory of 4816 3836 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 83 PID 3836 wrote to memory of 4816 3836 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 83 PID 3836 wrote to memory of 4816 3836 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 83 PID 4816 wrote to memory of 744 4816 3jppp.exe 84 PID 4816 wrote to memory of 744 4816 3jppp.exe 84 PID 4816 wrote to memory of 744 4816 3jppp.exe 84 PID 744 wrote to memory of 1356 744 jdvvj.exe 85 PID 744 wrote to memory of 1356 744 jdvvj.exe 85 PID 744 wrote to memory of 1356 744 jdvvj.exe 85 PID 1356 wrote to memory of 4104 1356 bbhhhn.exe 86 PID 1356 wrote to memory of 4104 1356 bbhhhn.exe 86 PID 1356 wrote to memory of 4104 1356 bbhhhn.exe 86 PID 4104 wrote to memory of 1996 4104 btnnnn.exe 87 PID 4104 wrote to memory of 1996 4104 btnnnn.exe 87 PID 4104 wrote to memory of 1996 4104 btnnnn.exe 87 PID 1996 wrote to memory of 4544 1996 frflfff.exe 88 PID 1996 wrote to memory of 4544 1996 frflfff.exe 88 PID 1996 wrote to memory of 4544 1996 frflfff.exe 88 PID 4544 wrote to memory of 4180 4544 pppjj.exe 89 PID 4544 wrote to memory of 4180 4544 pppjj.exe 89 PID 4544 wrote to memory of 4180 4544 pppjj.exe 89 PID 4180 wrote to memory of 2028 4180 hhtnnh.exe 90 PID 4180 wrote to memory of 2028 4180 hhtnnh.exe 90 PID 4180 wrote to memory of 2028 4180 hhtnnh.exe 90 PID 2028 wrote to memory of 4680 2028 rrfrlfx.exe 91 PID 2028 wrote to memory of 4680 2028 rrfrlfx.exe 91 PID 2028 wrote to memory of 4680 2028 rrfrlfx.exe 91 PID 4680 wrote to memory of 4840 4680 xrrxxrr.exe 92 PID 4680 wrote to memory of 4840 4680 xrrxxrr.exe 92 PID 4680 wrote to memory of 4840 4680 xrrxxrr.exe 92 PID 4840 wrote to memory of 1872 4840 tnhbbh.exe 93 PID 4840 wrote to memory of 1872 4840 tnhbbh.exe 93 PID 4840 wrote to memory of 1872 4840 tnhbbh.exe 93 PID 1872 wrote to memory of 348 1872 dpvvp.exe 94 PID 1872 wrote to memory of 348 1872 dpvvp.exe 94 PID 1872 wrote to memory of 348 1872 dpvvp.exe 94 PID 348 wrote to memory of 2068 348 9nhhtt.exe 95 PID 348 wrote to memory of 2068 348 9nhhtt.exe 95 PID 348 wrote to memory of 2068 348 9nhhtt.exe 95 PID 2068 wrote to memory of 3420 2068 vdppp.exe 96 PID 2068 wrote to memory of 3420 2068 vdppp.exe 96 PID 2068 wrote to memory of 3420 2068 vdppp.exe 96 PID 3420 wrote to memory of 3904 3420 fffxrrl.exe 97 PID 3420 wrote to memory of 3904 3420 fffxrrl.exe 97 PID 3420 wrote to memory of 3904 3420 fffxrrl.exe 97 PID 3904 wrote to memory of 2944 3904 nbntnn.exe 98 PID 3904 wrote to memory of 2944 3904 nbntnn.exe 98 PID 3904 wrote to memory of 2944 3904 nbntnn.exe 98 PID 2944 wrote to memory of 2584 2944 7vjdp.exe 99 PID 2944 wrote to memory of 2584 2944 7vjdp.exe 99 PID 2944 wrote to memory of 2584 2944 7vjdp.exe 99 PID 2584 wrote to memory of 3528 2584 xrfxfxf.exe 100 PID 2584 wrote to memory of 3528 2584 xrfxfxf.exe 100 PID 2584 wrote to memory of 3528 2584 xrfxfxf.exe 100 PID 3528 wrote to memory of 2904 3528 frlfrrl.exe 101 PID 3528 wrote to memory of 2904 3528 frlfrrl.exe 101 PID 3528 wrote to memory of 2904 3528 frlfrrl.exe 101 PID 2904 wrote to memory of 5012 2904 tnhbhh.exe 102 PID 2904 wrote to memory of 5012 2904 tnhbhh.exe 102 PID 2904 wrote to memory of 5012 2904 tnhbhh.exe 102 PID 5012 wrote to memory of 2504 5012 dvpdv.exe 103 PID 5012 wrote to memory of 2504 5012 dvpdv.exe 103 PID 5012 wrote to memory of 2504 5012 dvpdv.exe 103 PID 2504 wrote to memory of 112 2504 ttbbnt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe"C:\Users\Admin\AppData\Local\Temp\bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\3jppp.exec:\3jppp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\jdvvj.exec:\jdvvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\bbhhhn.exec:\bbhhhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\btnnnn.exec:\btnnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\frflfff.exec:\frflfff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\pppjj.exec:\pppjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\hhtnnh.exec:\hhtnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\rrfrlfx.exec:\rrfrlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\xrrxxrr.exec:\xrrxxrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\tnhbbh.exec:\tnhbbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\dpvvp.exec:\dpvvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\9nhhtt.exec:\9nhhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\vdppp.exec:\vdppp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\fffxrrl.exec:\fffxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\nbntnn.exec:\nbntnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\7vjdp.exec:\7vjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\xrfxfxf.exec:\xrfxfxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\frlfrrl.exec:\frlfrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\tnhbhh.exec:\tnhbhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\dvpdv.exec:\dvpdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\ttbbnt.exec:\ttbbnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\pjpjd.exec:\pjpjd.exe23⤵
- Executes dropped EXE
PID:112 -
\??\c:\llflxxl.exec:\llflxxl.exe24⤵
- Executes dropped EXE
PID:768 -
\??\c:\nhnnnt.exec:\nhnnnt.exe25⤵
- Executes dropped EXE
PID:1580 -
\??\c:\jpjjv.exec:\jpjjv.exe26⤵
- Executes dropped EXE
PID:2460 -
\??\c:\ffffrff.exec:\ffffrff.exe27⤵
- Executes dropped EXE
PID:2020 -
\??\c:\nhnttn.exec:\nhnttn.exe28⤵
- Executes dropped EXE
PID:1784 -
\??\c:\jvjjd.exec:\jvjjd.exe29⤵
- Executes dropped EXE
PID:3012 -
\??\c:\hnnnbh.exec:\hnnnbh.exe30⤵
- Executes dropped EXE
PID:5068 -
\??\c:\jpppj.exec:\jpppj.exe31⤵
- Executes dropped EXE
PID:4224 -
\??\c:\lrlffff.exec:\lrlffff.exe32⤵
- Executes dropped EXE
PID:2600 -
\??\c:\ddjjj.exec:\ddjjj.exe33⤵
- Executes dropped EXE
PID:5064 -
\??\c:\bnthbh.exec:\bnthbh.exe34⤵
- Executes dropped EXE
PID:3264 -
\??\c:\dpddv.exec:\dpddv.exe35⤵
- Executes dropped EXE
PID:3132 -
\??\c:\3lxxllr.exec:\3lxxllr.exe36⤵
- Executes dropped EXE
PID:4624 -
\??\c:\pjjdd.exec:\pjjdd.exe37⤵
- Executes dropped EXE
PID:616 -
\??\c:\bbtnbn.exec:\bbtnbn.exe38⤵
- Executes dropped EXE
PID:1532 -
\??\c:\llrlfxx.exec:\llrlfxx.exe39⤵
- Executes dropped EXE
PID:2616 -
\??\c:\xxfffll.exec:\xxfffll.exe40⤵
- Executes dropped EXE
PID:3552 -
\??\c:\9jddp.exec:\9jddp.exe41⤵
- Executes dropped EXE
PID:2456 -
\??\c:\ddppp.exec:\ddppp.exe42⤵
- Executes dropped EXE
PID:1340 -
\??\c:\flfrflx.exec:\flfrflx.exe43⤵
- Executes dropped EXE
PID:2960 -
\??\c:\7nhhbh.exec:\7nhhbh.exe44⤵
- Executes dropped EXE
PID:4268 -
\??\c:\vjdjj.exec:\vjdjj.exe45⤵
- Executes dropped EXE
PID:4708 -
\??\c:\fxlffll.exec:\fxlffll.exe46⤵
- Executes dropped EXE
PID:2304 -
\??\c:\lxlllll.exec:\lxlllll.exe47⤵
- Executes dropped EXE
PID:2396 -
\??\c:\hhnbbb.exec:\hhnbbb.exe48⤵
- Executes dropped EXE
PID:3924 -
\??\c:\jjppp.exec:\jjppp.exe49⤵
- Executes dropped EXE
PID:1468 -
\??\c:\vpjpj.exec:\vpjpj.exe50⤵
- Executes dropped EXE
PID:4772 -
\??\c:\ffffffl.exec:\ffffffl.exe51⤵
- Executes dropped EXE
PID:1404 -
\??\c:\hhnnnt.exec:\hhnnnt.exe52⤵
- Executes dropped EXE
PID:2604 -
\??\c:\nhbbbb.exec:\nhbbbb.exe53⤵
- Executes dropped EXE
PID:4532 -
\??\c:\9dppd.exec:\9dppd.exe54⤵
- Executes dropped EXE
PID:2408 -
\??\c:\flllxff.exec:\flllxff.exe55⤵
- Executes dropped EXE
PID:1224 -
\??\c:\7bhhhn.exec:\7bhhhn.exe56⤵
- Executes dropped EXE
PID:3608 -
\??\c:\ppdvp.exec:\ppdvp.exe57⤵
- Executes dropped EXE
PID:1452 -
\??\c:\xrfxxll.exec:\xrfxxll.exe58⤵
- Executes dropped EXE
PID:2316 -
\??\c:\nnnnbb.exec:\nnnnbb.exe59⤵
- Executes dropped EXE
PID:1356 -
\??\c:\djdjd.exec:\djdjd.exe60⤵
- Executes dropped EXE
PID:1440 -
\??\c:\llllfll.exec:\llllfll.exe61⤵
- Executes dropped EXE
PID:1424 -
\??\c:\frffxff.exec:\frffxff.exe62⤵
- Executes dropped EXE
PID:1996 -
\??\c:\bthntt.exec:\bthntt.exe63⤵
- Executes dropped EXE
PID:376 -
\??\c:\jvvjd.exec:\jvvjd.exe64⤵
- Executes dropped EXE
PID:2052 -
\??\c:\llrxxlr.exec:\llrxxlr.exe65⤵
- Executes dropped EXE
PID:4616 -
\??\c:\ntbhhh.exec:\ntbhhh.exe66⤵PID:4928
-
\??\c:\nntnhb.exec:\nntnhb.exe67⤵PID:2620
-
\??\c:\ppvpp.exec:\ppvpp.exe68⤵PID:4892
-
\??\c:\rlxrlrr.exec:\rlxrlrr.exe69⤵PID:3048
-
\??\c:\nhttnt.exec:\nhttnt.exe70⤵PID:208
-
\??\c:\vvddj.exec:\vvddj.exe71⤵PID:3208
-
\??\c:\xffxrrl.exec:\xffxrrl.exe72⤵PID:2200
-
\??\c:\nhnnnn.exec:\nhnnnn.exe73⤵PID:4376
-
\??\c:\9bbtnt.exec:\9bbtnt.exe74⤵PID:2228
-
\??\c:\jjppp.exec:\jjppp.exe75⤵PID:4628
-
\??\c:\xrxxrlr.exec:\xrxxrlr.exe76⤵PID:4428
-
\??\c:\thttnn.exec:\thttnn.exe77⤵PID:3476
-
\??\c:\pvjjd.exec:\pvjjd.exe78⤵PID:4632
-
\??\c:\pjpvv.exec:\pjpvv.exe79⤵PID:4024
-
\??\c:\rlxrllf.exec:\rlxrllf.exe80⤵PID:2892
-
\??\c:\lrfxflf.exec:\lrfxflf.exe81⤵PID:3428
-
\??\c:\nbnnhn.exec:\nbnnhn.exe82⤵PID:4016
-
\??\c:\jdpjd.exec:\jdpjd.exe83⤵PID:4688
-
\??\c:\llrlfxx.exec:\llrlfxx.exe84⤵PID:2300
-
\??\c:\xrrrllf.exec:\xrrrllf.exe85⤵PID:4084
-
\??\c:\dpvpj.exec:\dpvpj.exe86⤵PID:2040
-
\??\c:\vddvd.exec:\vddvd.exe87⤵PID:1004
-
\??\c:\fflxrrr.exec:\fflxrrr.exe88⤵PID:2056
-
\??\c:\rlrllff.exec:\rlrllff.exe89⤵PID:1580
-
\??\c:\7nbbhh.exec:\7nbbhh.exe90⤵PID:1136
-
\??\c:\jjvpj.exec:\jjvpj.exe91⤵PID:4852
-
\??\c:\rxlfxff.exec:\rxlfxff.exe92⤵PID:1700
-
\??\c:\hnbbnn.exec:\hnbbnn.exe93⤵PID:1784
-
\??\c:\pdvpj.exec:\pdvpj.exe94⤵PID:1928
-
\??\c:\ffrlfff.exec:\ffrlfff.exe95⤵PID:4228
-
\??\c:\btbbbb.exec:\btbbbb.exe96⤵PID:3988
-
\??\c:\dvjdd.exec:\dvjdd.exe97⤵PID:4592
-
\??\c:\lflflrr.exec:\lflflrr.exe98⤵PID:3512
-
\??\c:\xxllffx.exec:\xxllffx.exe99⤵PID:3172
-
\??\c:\1bhhhh.exec:\1bhhhh.exe100⤵PID:3224
-
\??\c:\jjvdd.exec:\jjvdd.exe101⤵PID:4292
-
\??\c:\xxfllrl.exec:\xxfllrl.exe102⤵PID:2968
-
\??\c:\xfllllr.exec:\xfllllr.exe103⤵PID:3624
-
\??\c:\9bnhhh.exec:\9bnhhh.exe104⤵PID:1016
-
\??\c:\7pvvv.exec:\7pvvv.exe105⤵PID:4980
-
\??\c:\rxrrfll.exec:\rxrrfll.exe106⤵PID:1564
-
\??\c:\htnnnn.exec:\htnnnn.exe107⤵PID:4184
-
\??\c:\bhnntt.exec:\bhnntt.exe108⤵PID:1548
-
\??\c:\pjdjv.exec:\pjdjv.exe109⤵PID:2456
-
\??\c:\lrlflrf.exec:\lrlflrf.exe110⤵PID:4700
-
\??\c:\1lflxfr.exec:\1lflxfr.exe111⤵PID:2708
-
\??\c:\nbnnth.exec:\nbnnth.exe112⤵PID:2192
-
\??\c:\vvppp.exec:\vvppp.exe113⤵PID:3404
-
\??\c:\rrfxllx.exec:\rrfxllx.exe114⤵PID:4012
-
\??\c:\lfxxxfl.exec:\lfxxxfl.exe115⤵
- System Location Discovery: System Language Discovery
PID:3840 -
\??\c:\bhnthn.exec:\bhnthn.exe116⤵PID:4240
-
\??\c:\5dppj.exec:\5dppj.exe117⤵PID:3612
-
\??\c:\lfllfll.exec:\lfllfll.exe118⤵PID:400
-
\??\c:\frffxfr.exec:\frffxfr.exe119⤵PID:916
-
\??\c:\tbnnnn.exec:\tbnnnn.exe120⤵PID:4724
-
\??\c:\1vjdp.exec:\1vjdp.exe121⤵PID:2216
-
\??\c:\dvdvp.exec:\dvdvp.exe122⤵PID:4532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-